System and method for processing and protecting content

ABSTRACT

Systems and methods that process and protect content are provided. In one example, a system may include, for example, a first device coupled to a second device. The first device may include, for example, an integrated circuit that may include a content processing system and a security system. The security system may include, for example, a digital rights manager. The first device and the second device may be part of a network. The network receives content and control information via the first device. The content processing system processes incoming content based upon at least the control information. The integrated circuit protects the content before placing the content on the network.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation of U.S. patent application Ser. No. 12/485,694, filed on Jun. 16, 2009, which is a continuation of U.S. application Ser. No. 10/326,944, filed Dec. 20, 2002 and issued as U.S. Pat. No. 7,549,056, which makes reference to, claims priority to:

U.S. application Ser. No. 60/410,771, filed Sep. 13, 2002;

U.S. application Ser. No. 60/413,871, filed Sep. 25, 2002;

U.S. application Ser. No. 60/414,080, filed Sep. 27, 2002; and

U.S. application Ser. No. 60/419,711, filed Oct. 17,2002,

said U.S. application Ser. No. 10/326,944 is a continuation-in-part of U.S. application Ser. No. 10/310,083, filed Dec. 4, 2002, which claims priority to and claims benefit from.

U.S. application Ser. No. 60/414,080, filed Sep. 27, 2002, and U.S. application Ser. No. 60/419,353, filed Oct. 18, 2002;

said U.S. application Ser. No. 10/326,944 is a continuation-in-part of U.S. application Ser. No. 10/310,075, filed Dec. 4, 2002 and issued as U.S. Pat. No. 7,797,550, which claims priority to and claims benefit from U.S. application Ser. No. 60/413,871, filed Sep. 25, 2002, and U.S. application Ser. No. 60/419,474, filed Oct. 18, 2002;

said U.S. application Ser. No. 10/326,944 is a continuation-in-part of U.S. application Ser. No. 10/153,338, filed May 22,2002, now issued U.S. Pat. No. 7,058,803;

said U.S. application Ser. No. 10/326,944 is a continuation-in-part of U.S. application Ser. No. 10/141,599, filed May 8, 2002, now issued U.S. Pat. No. 6,789,159;

said U.S. application Ser. No. 10/326,944 is a continuation-in-part of U.S. application Ser. No. 10/141,197, filed May 8, 2002 and issued as U.S. Pat. No. 7,681,043;

said U.S. application Ser. No. 10/326,944 is a continuation-in-part of U.S. application Ser. No. 09/900,224, filed Jul. 6, 2001 and issued as U.S. Pat. No. 7,548,622, which claims priority to and claims benefit from U.S. application Ser. No. 60/216,588, filed on Jul. 7, 2000;

said U.S. application Ser. No. 10/326,944 is a continuation-in-part of U.S. application Ser. No. 10/053,904, filed Jan. 24,2002, now issued U.S. Pat. No. 7,174,452, which claims priority to and claims benefit from U.S. application Ser. No. 60/263,793, filed Jan. 24, 2001, and U.S. application Ser. No. 60/272,965, filed Mar. 2, 2001; and

said U.S. application Ser. No. 10/326,944 is a continuation-in-part of U.S. application Ser. No. 09/525,872, filed Mar. 15, 2000, now issued U.S. Pat. No. 6,868,072, which claims the benefit of U.S. application Ser. No. 60/125,174, filed Mar. 19, 1999, and U.S. application Ser. No. 60/125,292, filed Mar. 19, 1999;

all of which are incorporated by reference herein in their entirety.

BACKGROUND OF THE INVENTION

Content and rights protection present major obstacles to accessing quality content on content delivery systems. Currently there are no standards for digital rights management (DRM). Instead, there are a variety of proprietary DRM methods and schemes. Therefore, interoperability between different DRM methods does not exist and limits the range of distribution possibilities. Similarly, conflicting conditional access systems used by video delivery systems have limited product competition and content distribution.

Furthermore, conventional DRM products do not provide adequate solutions for use in home networks. They consider only the delivery of content to the user and do not take into account distribution of the content within the home.

Further limitations and disadvantages of conventional and traditional approaches will become apparent to one of ordinary skill in the art through comparison of such systems with some aspects of the present invention as set forth in the remainder of the present application with reference to the drawings.

BRIEF SUMMARY OF THE INVENTION

Aspects of the present invention may be found in, for example, systems and methods that process and protect content. In one embodiment, the present invention may provide a system that processes and protects content. The system may include, for example, a first device coupled to a second device. The first device may include, for example, an integrated circuit that may include a content processing system and a security system. The security system may include, for example, a digital rights manager. The first device and the second device may be part of a network. The network receives content and control information via the first device. The content processing system processes incoming content based upon at least the control information. The integrated circuit protects the content before placing the content on the network.

In another embodiment, the present invention may provide a system that processes and protects content. The system may include, for example, a plurality of devices coupled to a server via a network. The server may include, for example, an application specific integrated circuit (ASIC). The ASIC may include, for example, hardware modules capable of performing the following: processing content and control information, distributing content on the network, and protecting content distributed on the network.

In yet another embodiment, the present invention may provide a method that process and protects content. The method may include one or more of the following: receiving protected content and control information in an integrated circuit; processing, via the integrated circuit, the content based at least upon the control information; protecting the content, via the integrated circuit, before leaving the integrated circuit; and distributing the protected content on a network from the integrated circuit.

These and other features and advantages of the present invention may be appreciated from a review of the following detailed description of the present invention, along with the accompanying figures in which like reference numerals refer to like parts throughout.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 A shows a block flow diagram illustrating an embodiment of a system that provides content processing and protection according to the present invention.

FIG. 1B shows a block flow diagram illustrating an embodiment of a system that provides content processing and protection according to the present invention.

FIG. 2 shows a block flow diagram illustrating an embodiment of a system that provides content distribution and protection using a home gateway digital rights manager according to the present invention.

FIG. 3 shows a block diagram illustrating an embodiment of a home network according to the present invention.

FIG. 4 shows a block diagram illustrating an embodiment of a digital rights management (DRM) architecture according to the present invention.

FIG. 5 shows a block diagram illustrating an embodiment of a DRM architecture with embedded content security according to the present invention.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1A shows a block flow diagram illustrating an embodiment of a system that provides content processing and protection according to the present invention. The system may include, for example, a set top box system 10, home devices 30, a content provider 40, a content protector 50, a clearinghouse 60, a streaming server 70, a web server 80 and a video server 90. The set top box system 10 may include, for example, an integrated circuit 20 that may be adapted to provide content processing and content protection. In one embodiment, the integrated circuit 20 may include an application specific integrated circuit (ASIC). In another embodiment, some components of the system in addition to the set top box system 10 may include respective integrated circuits 20. For example, in FIG. 1B, one or mom of the home devices 30, the clearinghouse 60, the streaming server 70, the web server 80 or the video server 90 may each include a respective integrated circuit 20. Although illustrated as a set top box system, the present invention may contemplate other systems and devices that process or protect content such as, for example, computers, media servers, etc.

As illustrated, the content provider 40 is coupled to the content protector 50. The content protector 50 is coupled to the streaming server 70, the web server 80 and the video server 90. The streaming server 70, the web server 80 and the video server 90 are coupled to the set top box system 10. The content protector 50 is also coupled to the clearinghouse 60 which, in turn, is coupled to the set top box system 10. The clearinghouse 60, the streaming server 70, the web server 80 and the video server 90 may be coupled to the set top box system 10 via, for example, a broadband service system (indicated generally in the FIGS. 1A-B as a dashed line). The set top box system 10 is coupled to the home devices 30. The set top box system 10 may be coupled to the home devices 30 via, for example, wired communications means (e.g., wires, cables, etc.) or wireless communications means (e.g., radio signals, infrared signals, optical signals, etc.) The set top box 10 may also employ any number of communication protocols or standards such as, for example, local area network (LAN), wide area network (WAN), Ethernet, Home Phoneline Network Alliance (HPNA), Bluetooth, digital visual interface (DVI), IEEE 802, IEEE 802.11a, IEEE 802.11b, IEEE 1394, etc.

In operation, content is provided by the content provider 40. The content may include, for example, data, audio, video, instructions, usage requirements, etc. The content protector 50 protects the content by using, for example, an encryption scheme, a scrambling scheme, etc. The usage terms are sent by the content protector 50 to the clearinghouse 60. The protector 50 also sends the content to the streaming server 70, the web server 80 and the video server 90. When a subscriber requests to display a particular content such as, for example, a particular program (e.g., cable programming, satellite programming, pay-per-view programming, video-on-demand programming, internet access, a multimedia presentation, etc.) on a particular channel on a particular home device 30 (e.g., a home display), then the integrated circuit 20 of the set top box 10 requests access to the program from the clearinghouse 60. The clearinghouse 60 may be, for example, an e-commerce services clearinghouse license server. The clearinghouse 60 then checks the access request against stored usage terms associated with the program. The clearinghouse 60 then sends an access license (e.g., entitlements) to the integrated circuit 20. The integrated circuit 20 then requests content from the streaming server 70, the web server 80 and/or the video server 90 for distribution in, for example, a home network.

The integrated circuit 20 may perform one or more of the following functions. The integrated circuit 20 may, for example, process the content for display on one or more of the home devices 30. For example, the integrated circuit 20 may include a movie pictures experts group (MPEG) decoding engine including, for example, a digital demodulator, an analog demodulator, an MPEG transport engine, a video decompression engine, an audio decompression engine, etc. The integrated circuit 20 may also prepare the content for distribution on the home network.

The integrated circuit 20 may protect content leaving the integrated circuit 20 or the set top box system 10 and may recover protected content entering the integrated circuit 20 or the set top box system 10. For example, content may be received by the integrated circuit 20 from the servers 70, 80, 90 in a protected format. The integrated circuit 20 may then recover content from the received protected content. Furthermore, to protect the content from end to end, the content may be protected before leaving the integrated circuit 20 for one or more of the home devices 30. In another example, the set top box system 10 may be part of a personal video recording (PVR) system. Accordingly, a storage device may be coupled to the integrated circuit 20. The storage device may be, for example, an electrical storage device, a magnetic storage device, an electromagnetic storage device, an optical storage device, a mechanical storage device, a storage network or some combination thereof. However, to securely buffer the content in the storage device, content sent from the integrated circuit 20 to the storage device is protected before the content leaves the integrated circuit 20. Examples of such systems may be found, for example, in U.S. Provisional Patent Application Ser. No. 60/413,871 entitled “System and Method for Securely Buffering Content” and U.S. patent application Ser. No. 10/310,075, entitled “System and Method for Securely Buffering Content,” which were incorporated by reference in their entirety.

The integrated circuit 20 may use the access license from the clearinghouse 60 to determine to which, if any, of the home devices 30 the content may be distributed. Furthermore, the integrated circuit 20 may process control information (e.g., digital rights management (DRM) controls, copy control information (CCI), etc.) in a secure manner. The control information may be used to affect the content processing as well as the control information itself. For example, the control information may be embedded in the transport stream received from the servers 70, 80, 90 indicating, for example, that the content may be copied only once. After the content is copied once, the control information may be changed by the integrated circuit 20, which due to its high level of security is a trusted party, to reflect that the content has been copied once (e.g., change control information to indicate that no more copying of the content is allowed). The integrated circuit 20 may be adapted, for example, to validate control information, to process control information, to affect content processing and to display in light of the validated and processed control information and to modify the control information. Example of such a system may be found, for example, in U.S. Provisional Patent Application Ser. No. 60/414,080 entitled “System and Method for Securely Handling Control Information” and U.S. patent application Ser. No. 10/310,083 entitled “System and Method for Securely Handling Control Information”, which were incorporated by reference in their entirety.

The integrated circuit 20 may be adapted to securely control set top box system functions and features. For example, the integrated circuit 20 may include a memory array such as, for example, a non-volatile memory (e.g., a one-time programmable non-volatile memory). The non-volatile memory may include, for example, a data array and banks of mode control bits that may be initially programmed so that the subscriber can access particular features and functions provided by the integrated circuit 20. For example, the mode control bits may be one-time programmed by the subscriber or by the manufacturer to enable particular features or functions. In addition, the mode control bits can be locked using locking bits or other locking mechanisms. The data array may include, for example, security information such as a device identification number and keys that may be locked physically by the one-time programmable memory as well as logically by a cyclical redundancy check (CRC) stored in the non-volatile memory. In addition, the memory array may be further programmed to enable particular features and functions if the subscriber can provide authorization via, for example, a challenge/response mechanism, a password authentication or other authorizing schemes. The integrated circuit 20 may also detect if it has been tampered with and invalidate the memory may, thereby making the integrated circuit 20 useless or thereby allowing the integrated circuit 20 to provide only the most basic services. Examples of such systems may be found, for example, in U.S. application Ser. No. 10/141,197 entitled “System and Method for Configuring Device Features via Programmable Memory;” U.S. application Ser. No. 10/141,599 entitled “System and Method for Programming Non-Volatile Memory;” and U.S. application Ser. No. 10/141,549 entitled “System and Method for Securely Controlling Access to Device Functions,” which were incorporated by reference in their entirety.

The integrated circuit 20 may also determine access via a conditional access card coupled to an interface coupled to the integrated circuit 20 and protect content between the integrated circuit 20 and the conditional access card. The conditional access card may be, for example, a personal computer memory card international association (PCMCIA) card, a smart card, an interface car, etc. The conditional access card may be a printed circuit board that is plugged into, mounted on, or integrated with a motherboard on which is located the integrated circuit 20. The conditional access card may be, for example, a common interface card or a point of deployment (POD) module. Examples of such systems may be found, for example, in U.S. application Ser. No. 10/153,338 entitled “System and Method for Protecting Transport Stream Content,” which was incorporated by reference in its entirety.

The integrated circuit 20 may also provide a home gateway digital rights manager. The home gateway digital tights manager may be adapted to, for example, encrypt content, authenticate end points, secure rights management and revoke rights. In support of DRM, the integrated chip 20 may be adapted to provide one or more of the following, including: security protection on digital interfaces; secure rights handling; and secure processing, input/output I/O) and crypto-engine function. The latter option may provide restricted access to the memory and I/O; operational integrity; and a secure crypto-toolkit.

The home gateway digital rights manager may include, for example, a hardware crypto-toolkit that may be used for DRM, conditional access and e-commerce. The toolkit may provide a set of cryptographic and security capabilities that can be used by the DRM provider in support of its communication protocols. Hardware tools offer higher performance levels (e.g., processing speeds) and provide security over software architectures. Hardware tools also offer hardware protection for key transfers and key storage while, for example, being staged for insertion encrypt/decrypt blocks or authentication algorithms.

In one embodiment, the DRM architecture offers a comprehensive security capability including one or more of the following: access control; content protection; rights management; privacy; full-home network coverage; flexibility with respect to content delivery and distribution; support for various transport formats (e.g., download, streaming, etc.); PVR store-and-forward; and home networking.

Some aspects of the present invention may provide some or all of the security functionality in the hardware of an integrated circuit. The hardware of the integrated circuit may also be adapted to provide content processing. In one embodiment, all of the security functionality may be embedded in the same integrated circuit (e.g., a single integrated chip) that also provides content processing.

FIG. 2 shows a block flow diagram illustrating an embodiment of a system that provides content distribution and protection using a home gateway digital rights manager according to the present invention. The home gateway digital rights manager provides DRM support into the home and also provides an end-to-end protection solution.

FIG. 3 shows a block diagram illustrating an embodiment of a home network according to the present invention. The home network (e.g., an HPNA home network) 130 may include, for example, a home gateway digital rights manager 100 and clients 110 (e.g., HPNA clients). The home gateway digital rights manager 100 may also be coupled to a WAN 120.

In one embodiment, the home gateway digital rights manager 100 may decrypt content received on the WAN 120 according to a conditional access system or a DRM system and then re-encrypt the content to be distributed on the home network using a home network encryption. For example, the data encryption standard (DES), triple DES (3DES) or 3DES PVR encryption may be used to protect content on the home network 130. In addition, all nodes may be authenticated to the home gateway digital rights manager 100.

FIG. 4 shows a block diagram illustrating an embodiment of a DRM architecture according to the present invention. The DRM architecture includes, for example, a managing block 140 that supports a baseline DRM product (e.g., a standards-based DRM product), managing blocks 150 that support proprietary DRM products, an application program interface (API) and a block 160 that supports crypto tools and DRM service controls. Accordingly, the DRM architecture can support either a baseline DRM product or a proprietary DRM product. The DRM architecture may also be able to convert the proprietary DRM control information into, for example, baseline DRM control information or other proprietary DRM control information so as to overcome interoperability problems between DRM methods. Furthermore, the DRM architecture also may support, complement and supplement a particular manufacturer's proprietary security hardware and software capabilities by providing access to the crypto tools available from the integrated circuit 20. For example, the crypto tools may extend the management of content while, for example, being recorded or shared with other devices.

Crypto tools may include, for example, one or more of the following cryptographic hardware modules in support of content protection and security, For example, a DVB common descrambler and DES/3DES devices may be used in MPEG transport decryption for conditional access. DES/3DES devices may be used in personal video recording. DVI/HDCP and PVR DES/3DES may be used in home networking. Furthermore, crypto tool may include a general set of cryptographic tools (e.g., for internet protocol and above), including: DES, 3DES, RC4, advanced encryption standard (AES); secure hash algorithm-1 (SHA1), message digest 5 (MD5), HMAC-SHA1, HMAC-MD5, public key acceleration (RSA/DSS/DH), etc.

In one embodiment, the present invention may provide a highly integrated system-on-a-chip ASIC architecture capable of merging content protection and security functions with audio and video decoding and processing functions. With a baseline DRM or common DRM standard, compliant functions can be built-in to single-chip devices and can eliminate the need and costs associated with special purpose hardware security modules. With content protection and security capabilities integrated with the processing and interface functions of a single-chip device, the single-chip device may provide full-hardware tamper resistance or supplement software tamper-resistance schemes.

FIG. 5 shows a block diagram illustrating an embodiment of a DRM architecture with embedded content security according to the present invention. The home network may include, for example, home devices. One or more of the home devices may include, for example, an embedded content security element. One or more of the home devices may be adapted for receiving conditional access cards. In one example, the home device may be adapted to receive a conditional access card for use in e-commerce or a conditional access card for use in renewing or upgrading features or functions of the home device. One or more of the home devices may be coupled to a remote system that, for example, may provide content and control. The remote server may include, for example, a network element (e.g., a server) a content security element and a rights management system.

In operation, a home device requests particular programming from the remote system. The home device may also send content control messages. The content control messages may reflect information received by the home device from any conditional access cards as well as other information stored in the home device. For example, the content control message may include a digital certificate from a trusted authority (e.g., a certification authority) that may assist the remote system in verifying the identity of the home device or the home network. The content control message may be parsed by the content security element which may request and obtain particular rights for the rights management system. The particular rights granted to the home device may be based upon, for example, the content control messages and the particular program request received by the remote system. Based upon the granted rights, the remote system may send the particular program as protect content with accompanying control information. The home device may then process the protected content received from the remote system based upon, for example, the control information and the available or enabled home device features or functions. The home device may then send to requested content to one or more of the other home devices on the home network. The content may be protected with, for example, a particular home network encryption. The distribution of the content within the home network may be limited, for example, by the control information.

By combining one or more of the above-identified functions on a single integrated chip (e.g., an ASIC), the system-on-a-chip device may offer one or more of the following advantages. For example, integration may result in lower overall product costs. Integration onto a single device may include the integration of DRM functions, thereby sustaining a higher level of tamper resistance. Furthermore, the security of the set top box system 10 may be enhanced over software-only environments or segregated security modules.

By using hardware protection, access to content and content protection parameters can be restricted. Hardware protection is more robust than software-only tamper resistance schemes. Furthermore, if the hardware is attacked, the attacks are not easily scaled to larger populations. In contrast, hacked software is relatively easy to distribute to a large population of unauthorized users. With hardware protections, the endpoints can gain a higher level of trust. The distribution of high-value content may directly result from the deployment of highly trusted, interoperable equipment and systems for the distribution of content.

While the present invention has been described with reference to certain embodiments, it will, be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the present invention. In addition, many modifications may be made to adapt a particular situation or material to the ‘teachings of the present invention without departing from its scope. Therefore, it is intended that the present invention not be limited to the particular embodiment disclosed, but that the present invention will include all embodiments falling within the scope of the appended claims. 

What is claimed is:
 1. A computing device for processing and securing content, comprising: a network interface configured to receive content and control information and to couple to a second device via one or more networks, wherein the control information is provided by a clearinghouse; a content processing system configured to process the received content based on the received control information; and a digital rights manager configured to: secure the content, determine that the content may be distributed to the second device, grant rights to the content to the second device based on the control information, and place the secured content on a first network of the one or more networks.
 2. The computing device according to claim 1, further comprising: a non-volatile memory that includes a set of mode control bits configured to allow secure programming of a device feature of the computing device.
 3. The computing device according to claim 2, wherein the non-volatile memory stores one of a cryptographic key and a device identification number of the computing device.
 4. The computing device according to claim 1, wherein the first network comprises a wireless network supporting one or more of the following wireless communication protocols: Bluetooth, IEEE 802.11 and an amendment to IEEE 802.11.
 5. The computing device according to claim 1, wherein the digital rights manager is configured to secure the content placed on the first network using a network encryption scheme.
 6. The computing device according to claim 1, wherein the digital rights manager supports a first type of digital rights management and a second type of digital rights management.
 7. The computing device according to claim 6, wherein the digital rights manager supports interoperability between the first type of digital rights management and the second type of digital rights management.
 8. The computing device according to claim 1, wherein the content is provided by a content provider.
 9. The computing device according to claim 8, wherein the computing device is configured to receive an access license from the clearinghouse and to request particular content via a second network from a streaming server, a web server, or a video server that is servicing the content provider.
 10. The computing device according to claim 9, wherein the digital rights manager is further configured to use the access license to determine whether to distribute the content to the second device.
 11. A method of processing and securing content, comprising: receiving content and control information at a computing device via a first network, wherein the control information is provided by a clearinghouse; processing the received content based on the received control information; securing the processed content; determining that the content may be distributed to a second device; granting rights to the conent to the second device based on the control information; and placing the secured content on a second network coupled to the second device.
 12. The method according to claim 11, further comprising: securing the programming of a device feature of the computing device using a non-volatile memory that includes a set of mode control bits.
 13. The method according to claim 12, wherein the non-volatile memory stores one of a cryptographic key and a device identification number of the computing device.
 14. The method according to claim 11, wherein the second network is a wireless network supporting one or more of the following wireless communication protocols: Bluetooth, IEEE 802.11 and an amendment to IEEE 802.11.
 15. The method according to claim 11, wherein the processed content is secured using a network encryption scheme.
 16. The method according to claim 11, wherein the first network is an external broadband network.
 17. The method according to claim 11, wherein the content is provided by a content provider and.
 18. The method according to claim 17, further comprising: receiving an access license from the clearinghouse; and requesting particular content from a streaming server, a web server, or a video server that is servicing the content provider.
 19. The method according to claim 18, wherein the placing is conditional based on a determination that the access license allows distribution of the received content to the second device.
 20. A non-transitory computer readable medium containing computer instructions that, when executed by a computer processor, cause the processor to perform steps comprising: receiving content and control information at a computing device via a first network; processing the received content based on the received control information; securing the processed content using a digital rights manager; placing the secured content on a second network coupled to a second device processing incoming content based upon at least the control information, the incoming content and the control information being received by the computing device from an external broadband network; storing content in a storage device and providing the stored content to a wireless network; and wherein the digital rights manager supports a first type of digital rights management and a second type of digital rights management.
 21. A computing device for processing and securing content, comprising: a network interface configured to receive content and control information and to couple to a second device via one or more networks; a non-volatile memory that includes a set of mode control bits configured to allow secure programming of a device feature of the computing device; a content processing system configured to process the received content based on the received control information and the mode control bits stored in the non-volatile memory; and a digital rights manager configured to secure content and to place the secured content on a first network of the one or more networks.
 22. A method of processing and securing content, comprising: receiving content and control information at a computing device via a first network; securing a programming of a device feature of the computing device using a non-volatile memory that includes a set of mode control bits; processing the received content based on the received control information and the set of mode control bits; securing the processed content; and placing the secured content on a second network coupled to a second device. 